OMB Memorandum 17-12 and Privacy
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello everyone. It's Chris again and
00:00
I'm Cybrary's instructor for
00:00
its US information privacy course.
00:00
I hope that you're having a great day wherever you are.
00:00
Looks like the weather is broken here for us in
00:00
Maryland and so we should
00:00
have a good stretch of good weather.
00:00
I'm thankful for that. In Lesson 3.4,
00:00
we're going to continue our discussion
00:00
on the Office of Management and Budget,
00:00
guidance that it provides to
00:00
executive branch agencies in
00:00
the federal government as it applies to privacy.
00:00
OMB Memorandum 17-12 is of use had only
00:00
to those agencies in
00:00
the executive branch and must comply with it.
00:00
But those of you that are
00:00
privacy professionals in the private sector,
00:00
you may find that OMB Memorandum 17-12
00:00
is a useful tool because it helps
00:00
organizations in preparing for and
00:00
responding to breaches of
00:00
personally identifiable information.
00:00
We have two learning objectives.
00:00
We're going to talk about guidance at this,
00:00
memorandum gives executive branch agencies on how to
00:00
prepare for a breach of PII and we're
00:00
also going to talk about
00:00
those response requirements stated in Memorandum 17-12,
00:00
all these agencies can respond to a breach of PII.
00:00
Now it's extremely important to you
00:00
in the private sector to
00:00
continue to look beyond your own policies,
00:00
procedures, guidelines, and standards.
00:00
To look externally for best practices on how you
00:00
can improve your organization's, institution's,
00:00
or your company's incident response
00:00
procedures and other procedures
00:00
>> that pertain to privacy.
00:00
>> Let's talk about OMB Memorandum 17-12.
00:00
It is a really wonderful tool
00:00
that provides you with great insights,
00:00
templates, and guidance on how to prepare
00:00
for and respond to a breach of PII.
00:00
It replaces several previous OMB memorandums
00:00
that dealt with incident response
00:00
as it applied to a breach of PII,
00:00
OMB Memorandum 0716,
00:00
OMB memorandum 0619,
00:00
and OMB Memorandum 0615, my apologies.
00:00
OMB, when it provided this guidance,
00:00
it understood that not only
00:00
>> private sector organizations,
00:00
>> but public sector organizations also processed PII.
00:00
They had engaged in
00:00
information life cycle management: the collection,
00:00
use, processing, storage, maintenance,
00:00
dissemination, disclosure, and disposal of PII.
00:00
They wanted to make sure that on that fateful day,
00:00
should an organization experience a breach of PII,
00:00
that it's prepared to do so.
00:00
Now when we talk about PII,
00:00
we've talked about it and defined it
00:00
>> in previous modules.
00:00
>> We talked about names, addresses,
00:00
dates of birth, your places of employment.
00:00
We talked about Social Security number,
00:00
other government identified [inaudible].
00:00
Now we're talking about precise locational data,
00:00
medical history, biometrics and others.
00:00
We have a responsibility as organizations to ensure
00:00
that we're protecting that information from
00:00
the time it's collected until the time
00:00
>> we dispose of it.
00:00
>> On that fateful day,
00:00
you can't just wake up and address a privacy breach.
00:00
At that time it's too late.
00:00
You have to be prepared for it and
00:00
this memorandum will assist you in doing so.
00:00
We've defined PII,
00:00
we've talked about it's any information
00:00
that distinguishes
00:00
or traces individual or
00:00
can be linked directly or indirectly to an individual
00:00
as defined in OMB Circular A-130,
00:00
as we talked about previously.
00:00
Now, one thing that Memorandum 17-12 does,
00:00
it makes a distinction between what's
00:00
an incident and what's a breach.
00:00
When we're talking about incidents, security incidents,
00:00
it defines an incident as
00:00
an occurrence that one actually or
00:00
eminently jeopardizes without lawful authority,
00:00
integrity, confidentiality,
00:00
or availability of the information or
00:00
an information system or two,
00:00
constitutes a violation or
00:00
imminent threat of violation of law,
00:00
security policies, security procedures,
00:00
or acceptable use policies.
00:00
Now it defines a breach as the loss of control,
00:00
compromise, unauthorized disclosure,
00:00
unauthorized acquisition,
00:00
or any similar occurrences,
00:00
where one, a person other than
00:00
an authorized user accesses or
00:00
potentially accesses
00:00
personal identifiable information or two,
00:00
an authorized user accesses or potentially accesses
00:00
personally identifiable information for
00:00
an other than authorized purpose.
00:00
It seeks not only to
00:00
prepare organizations for external threats,
00:00
but also internal threats.
00:00
It has ways that you could prepare for it.
00:00
It talks about training and awareness campaigns,
00:00
which are extremely important.
00:00
You can't hold individuals accountable if you haven't
00:00
trained and then assess the level of that training.
00:00
It also accounts for addressing
00:00
disclosures of Privacy Act routine use information,
00:00
like we talked about during our discussion on
00:00
the Privacy Act of 1974,
00:00
so that when you have system or records notices,
00:00
they have to address the routine uses
00:00
of protected disclosure of PII.
00:00
In the case of breaches,
00:00
which require some type of
00:00
notification that we're going to talk about,
00:00
talks about requirements for
00:00
contractors because you could have a breach that
00:00
occurs at a contractor site
00:00
and so they need to be prepared to respond to those.
00:00
It also talks about the need to also have and identify
00:00
logistical and technical support
00:00
that you might need that's
00:00
not already on your staff.
00:00
You may have to budget for that
00:00
as you're accounting for potential
00:00
breaches in the future.
00:00
This memorandum has requirements on reporting on
00:00
suspected or confirmed breaches.
00:00
It says that, you have to,
00:00
these agencies have to report these breaches even
00:00
if you suspect them because any delay
00:00
in the notification could
00:00
expose organizations or individuals to greater harm.
00:00
It talks about the importance of
00:00
establishing a breach response plan.
00:00
Identifying a breach response team,
00:00
make sure you have the applicable privacy
00:00
compliance documentation on hand,
00:00
ensuring that you have the information share and
00:00
procedures in place to
00:00
assist your responding to a breach.
00:00
Reporting requirements to US-CERT
00:00
within 24 hours of a breach and to
00:00
Congress within seven days of discovery of
00:00
the breach and then a follow-up within 30 days.
00:00
It talks about the importance of
00:00
assessing risk of harm to individuals,
00:00
mitigating risk of harm,
00:00
and then notifying individuals
00:00
potentially harmed by the breach.
00:00
We've talked about the external reporting requirements,
00:00
again to USA-CERT,
00:00
Computer Emergency Response Team,
00:00
within 24 hours of realizing that
00:00
>> a breach has occurred.
00:00
>> Notifying congress within seven days
00:00
with a follow-up within an additional 30 days.
00:00
When we talk about assessing harm
00:00
to individuals, it's extremely important.
00:00
Things that you should consider are the nature and
00:00
sensitivity of the PII
00:00
potentially compromised by the breach,
00:00
the likelihood of access and use of that PII,
00:00
the type of breach.
00:00
Question 1 ask the question,
00:00
OMB Memorandum 17-12 provides
00:00
federal agencies in the executive branch with what?
00:00
The appropriate answers are B and D. Question 2 ask,
00:00
how does OMB Memorandum 17-12 define an incident?
00:00
The appropriate answers are A and D.
00:00
[NOISE] OMB Memorandum 17-12 defines a breach as what?
00:00
The appropriate answers are B and C. Question 4 ask,
00:00
federal agencies must notify
00:00
the appropriate Congressional Committees in
00:00
compliance with which reporting requirements?
00:00
B and D. Question 5 ask question about the SAOP,
00:00
who manages this process?
00:00
The SAOP shall consider which of
00:00
the following factors when assessing the risk of
00:00
harm to individuals potentially affected by a breach?
00:00
The answers are A, C,
00:00
and D. Now having
00:00
worked in the private sector for some time,
00:00
I have supported agencies in
00:00
responding to breaches because it's not if,
00:00
it's when it affects you and breaches
00:00
occur not only in the private sector,
00:00
but the public sector.
00:00
What's important is that we, as privacy professionals,
00:00
are prepared to respond
00:00
to and almost are prepared for dealing with
00:00
breaches so that we protect
00:00
our organization from any potential risks
00:00
or harms associated with the breach.
00:00
We talked about 17-12 assisting agencies in
00:00
preparing for potential breaches
00:00
and responding to those,
00:00
its definition of incident and breach,
00:00
reporting requirements, and how to assess harm.
Up Next
Similar Content
